aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjc_gargma <jc_gargma@iserlohn-fortress.net>2018-10-07 03:38:35 -0700
committerjc_gargma <jc_gargma@iserlohn-fortress.net>2018-10-07 03:38:35 -0700
commite0940e63e575d11cc5e8c3f6305b97265dd94f38 (patch)
tree58fb01ddad757b735c0ce6275375df8a049debe0
parentAdd "subwindow.shortcuts.menu" shortcut (diff)
downloadsmolbote-e0940e63e575d11cc5e8c3f6305b97265dd94f38.tar.xz
Updated firejail profile
-rw-r--r--data/poi.profile22
1 files changed, 15 insertions, 7 deletions
diff --git a/data/poi.profile b/data/poi.profile
index acc49a0..02c0ec4 100644
--- a/data/poi.profile
+++ b/data/poi.profile
@@ -12,10 +12,10 @@ noblacklist ${HOME}/.local/share/smolbote
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
-
-blacklist /run/user/*/bus
+include /etc/firejail/disable-xdg.inc
mkdir ${HOME}/.cache/smolbote
mkdir ${HOME}/.config/smolbote
@@ -31,6 +31,10 @@ include /etc/firejail/whitelist-common.inc
## caps.drop all - Removes the ability to call programs usually run only by root. Ex - chown, setuid
caps.drop all
+## ipc-namespace - Enable a new IPC namespace if the sandbox was started as a regular user.
+# Breaks audio
+# ipc-namespace
+
## machine-id - Generates a random machine-id each time the program is run, rather than using the static system machine-id.
# Breaks audio
# machine-id
@@ -38,6 +42,9 @@ caps.drop all
## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used.
netfilter
+## nodbus - Disable access to dbus.
+nodbus
+
## nodvd - Disable access to optical disk drives.
nodvd
@@ -60,12 +67,14 @@ novideo
protocol unix,inet,inet6,netlink
## seccomp - Blacklists a large swath of syscalls from being accessible.
-seccomp
+#seccomp
+## Use seccomp.drop for now as seccomp is broken with many programs.
+seccomp.drop @clock,@cpu-emulation,@module,@obsolete,@privileged,@raw-io,@reboot,@resources,@swap,ptrace
## shell - Run the program directly, without a user shell.
shell none
-## tracelog - Log all viloations to syslog
+## tracelog - Log all viloations to syslog.
tracelog
@@ -74,15 +83,14 @@ disable-mnt
## private-bin - Creates a virtual /bin directory containing only temporary copies of the following executables.
# bash required to launch from kde kickoff menu
-# QtWebEngine executes from /usr/lib which prevents usage of this option for now
-#private-bin bash,poi
+private-bin bash,poi
## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
private-dev
## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories.
# Experimental support for only fonts, alsa audio, and dns resolution.
-private-etc fonts,machine-id,resolv.conf
+private-etc fonts,group,machine-id,resolv.conf
## private-tmp - Creates a virtual /tmp directory to prevent the program from accessing the /tmp files from other programs.
private-tmp